upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and

Browse source 
SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
This commit is contained in:
W.C.A. Wijngaards 2021-07-30 13:54:43 +02:00
parent 11caae256b
commit b6abcb1508
7 changed files with 46 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
acx_nlnetlabs.m4
View file

@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs. # Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed. # BSD licensed.
# #
# Version 40 # Version 41
# 2021-07-30 fix for openssl use of lib64 directory.
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test. # 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
# 64bit compatibility. # 64bit compatibility.
@ -669,9 +670,15 @@ AC_DEFUN([ACX_SSL_CHECKS], [
HAVE_SSL=yes HAVE_SSL=yes
dnl assume /usr is already in the lib and dynlib paths. dnl assume /usr is already in the lib and dynlib paths.
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
LDFLAGS="$LDFLAGS -L$ssldir/lib" if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" LDFLAGS="$LDFLAGS -L$ssldir/lib64"
ACX_RUNTIME_PATH_ADD([$ssldir/lib]) LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
ACX_RUNTIME_PATH_ADD([$ssldir/lib64])
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi
fi fi
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto]) AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])

3
config.h.in
View file

@ -541,6 +541,9 @@
/* Define to 1 if you have the `SSL_get0_peername' function. */ /* Define to 1 if you have the `SSL_get0_peername' function. */
#undef HAVE_SSL_GET0_PEERNAME #undef HAVE_SSL_GET0_PEERNAME
/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
#undef HAVE_SSL_GET1_PEER_CERTIFICATE
/* Define to 1 if you have the `SSL_set1_host' function. */ /* Define to 1 if you have the `SSL_set1_host' function. */
#undef HAVE_SSL_SET1_HOST #undef HAVE_SSL_SET1_HOST

32
configure vendored
View file

@ -811,7 +811,6 @@ infodir
docdir docdir
oldincludedir oldincludedir
includedir includedir
runstatedir
localstatedir localstatedir
sharedstatedir sharedstatedir
sysconfdir sysconfdir
@ -962,7 +961,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc' sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com' sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var' localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include' includedir='${prefix}/include'
oldincludedir='/usr/include' oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1215,15 +1213,6 @@ do
| -silent | --silent | --silen | --sile | --sil) | -silent | --silent | --silen | --sile | --sil)
silent=yes ;; silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;; ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1361,7 +1350,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \ datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir libdir localedir mandir
do do
eval ac_val=\$$ac_var eval ac_val=\$$ac_var
# Remove trailing slashes. # Remove trailing slashes.
@ -1514,7 +1503,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var] --localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib] --libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include] --includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include] --oldincludedir=DIR C header files for non-gcc [/usr/include]
@ -18020,8 +18008,19 @@ _ACEOF
$as_echo "found in $ssldir" >&6; } $as_echo "found in $ssldir" >&6; }
HAVE_SSL=yes HAVE_SSL=yes
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
LDFLAGS="$LDFLAGS -L$ssldir/lib" if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" LDFLAGS="$LDFLAGS -L$ssldir/lib64"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib64" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib64"
fi
fi
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
if test "x$enable_rpath" = xyes; then if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib" | grep "^/" >/dev/null; then if echo "$ssldir/lib" | grep "^/" >/dev/null; then
@ -18029,6 +18028,7 @@ $as_echo "found in $ssldir" >&6; }
fi fi
fi fi
fi
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
@ -18441,7 +18441,7 @@ done
# these check_funcs need -lssl # these check_funcs need -lssl
BAKLIBS="$LIBS" BAKLIBS="$LIBS"
LIBS="-lssl $LIBS" LIBS="-lssl $LIBS"
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate
do : do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

2
configure.ac
View file

@ -865,7 +865,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C
# these check_funcs need -lssl # these check_funcs need -lssl
BAKLIBS="$LIBS" BAKLIBS="$LIBS"
LIBS="-lssl $LIBS" LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos]) AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
LIBS="$BAKLIBS" LIBS="$BAKLIBS"
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [

4
daemon/remote.c
View file

@ -3338,7 +3338,11 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
if (!rc->use_cert) { if (!rc->use_cert) {
verbose(VERB_ALGO, "unauthenticated remote control connection"); verbose(VERB_ALGO, "unauthenticated remote control connection");
} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(s->ssl);
#else
X509* x = SSL_get_peer_certificate(s->ssl); X509* x = SSL_get_peer_certificate(s->ssl);
#endif
if(!x) { if(!x) {
verbose(VERB_DETAIL, "remote control connection " verbose(VERB_DETAIL, "remote control connection "
"provided no client certificate"); "provided no client certificate");

3
doc/Changelog
View file

@ -1,6 +1,9 @@
30 July 2021: Wouter 30 July 2021: Wouter
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
build unbound. build unbound.
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
26 July 2021: George 26 July 2021: George
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This

8
util/netevent.c
View file

@ -1271,7 +1271,11 @@ ssl_handshake(struct comm_point* c)
if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) { if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) {
/* verification */ /* verification */
if(SSL_get_verify_result(c->ssl) == X509_V_OK) { if(SSL_get_verify_result(c->ssl) == X509_V_OK) {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(c->ssl);
#else
X509* x = SSL_get_peer_certificate(c->ssl); X509* x = SSL_get_peer_certificate(c->ssl);
#endif
if(!x) { if(!x) {
log_addr(VERB_ALGO, "SSL connection failed: " log_addr(VERB_ALGO, "SSL connection failed: "
"no certificate", "no certificate",
@ -1297,7 +1301,11 @@ ssl_handshake(struct comm_point* c)
#endif #endif
X509_free(x); X509_free(x);
} else { } else {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(c->ssl);
#else
X509* x = SSL_get_peer_certificate(c->ssl); X509* x = SSL_get_peer_certificate(c->ssl);
#endif
if(x) { if(x) {
log_cert(VERB_ALGO, "peer certificate", x); log_cert(VERB_ALGO, "peer certificate", x);
X509_free(x); X509_free(x);